Resubmissions

10-11-2024 21:28

241110-1bhk6avgrr 10

Analysis

  • max time kernel
    147s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • submitted
    10-11-2024 21:28

General

  • Target

    058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc.js

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Vjw0rm family
  • Blocklisted process makes network request 7 IoCs
  • Drops startup file 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc.js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ystPIbPNKH.js"
      2⤵
      • Drops startup file
      PID:2228
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ystPIbPNKH.js"
        3⤵
        • Drops startup file
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc.js

    Filesize

    38KB

    MD5

    b6dd12e8207cb20a56c9063d8ae13403

    SHA1

    81c8d38e92d3861e5f938e1e0e73ce109f52b317

    SHA256

    058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc

    SHA512

    a2d08ecdca6e0245c0583deddba9b131d7bd1c065cf5f70463cd845b758c53b5f5c98a0790d328fc8ae1714b8864b565db6a70d4d0d38f2ac08f8ecb4b338599

  • C:\Users\Admin\AppData\Roaming\ystPIbPNKH.js

    Filesize

    5KB

    MD5

    3f75805db0186d3c8029b081f5f2fee8

    SHA1

    52638c547acfeee17fcc4b1a07c2793189a961b1

    SHA256

    ed8dda658502e532ef36879efc55c342c58b5df99727bf40469ba9f2aec2ab9c

    SHA512

    ee4f61bf7107376f235a09588d279b42402df4017857fbeaf69f316ed4e65501af2a620290044b9c73dfd9d46906a0db823dd53044daf05e395c120fb81c5cd7